65 matches found
CVE-2026-45297
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via projectid case mismatch. ProjectAuthorizer.call OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46 only runs...
CVE-2026-45297
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via projectid case mismatch. ProjectAuthorizer.call OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46 only runs...
CVE-2026-45296
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several appapikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify...
CVE-2026-45297
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via projectid case mismatch. ProjectAuthorizer.call OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46 only runs...
EUVD-2026-32970
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via projectid case mismatch. ProjectAuthorizer.call OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46 only runs...
CVE-2026-45297 Cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via projectid case mismatch. ProjectAuthorizer.call OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46 only runs...
OpenReplay 访问控制错误漏洞
OpenReplay is an open-source, developer-friendly, self-hosted session replay software. Versions of OpenReplay prior to 1.26.0 contained an access control vulnerability. This vulnerability stemmed from the lack of verification that the project belonged to the same tenant during API key...
PT-2026-44457
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify...
Astra Linux - уязвимость в libcommons-compress-java
There is a vulnerability related to the “Unreachable Exit Condition” „Infinite Loop“ in Apache Commons Compress. This issue affects Apache Commons Compress versions from 1.3 to 1.25.0. Users are recommended to upgrade to version 1.26.0, which fixes this issue...
AZL-79628 CVE-2026-27137 affecting package golang 1.26.0-1
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered...
AZL-79625 CVE-2026-27138 affecting package golang 1.26.0-1
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS...
AZL-76688 CVE-2025-61732 affecting package golang 1.26.0-1
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary...
CVE-2026-25536
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...
CVE-2026-25536
CVE-2026-25536 affects the MCP TypeScript SDK. From versions 1.10.0 through 1.25.3, cross‑client data can leak when a single McpServer/Server and transport instance is reused across multiple client connections (notably in stateless StreamableHTTPServerTransport deployments). The issue arises from...
CVE-2026-25536
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...
CVE-2026-25536 @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...
EUVD-2026-5335
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...
PT-2026-6315
Name of the Vulnerable Software and Affected Versions MCP TypeScript SDK versions 1.10.0 through 1.25.3 Description The MCP TypeScript SDK, designed for Model Context Protocol servers and clients, exhibits a cross-client response data leak. This occurs when a single McpServer/Server and transport...
Azure Linux 3.0 Security Update: javapackages-bootstrap (CVE-2024-25710)
The version of javapackages-bootstrap installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-25710 advisory. - Loop with Unreachable Exit Condition 'Infinite Loop' vulnerability in Apache Commons...
CVE-2022-50917
ProtonVPN 1.26.0 is affected by an unquoted service path issue in the WireGuard service configuration. The root cause is an unquoted executable path, allowing a local attacker to potentially gain elevated privileges during service startup and execute arbitrary code. This vulnerability is rated hi...